Impact Team releases stolen Ashley Madison data online

The Impact Team have released stolen Ashley Madison data on the dark web, which includes personal information belonging to 37 million users of the website.

Cybercriminals have reportedly released personal information belonging to Ashley Madison users on the dark web, a month after it was first revealed that its system had been compromised.

Various reputable media outlets, including Wired, the Guardian and the BBC, note that sensitive details of up to 37 million users of the self-confessed “most famous name in infidelity and married dating” are now available online.

The individuals behind the attack, known as the Impact Team, appear to have made good on their threat to do as much. It is claimed that up to 10 gigabytes of data can now be accessed, although presently the information can only be accessed via encrypted browsers.

The group had stated in July that user data, including names, email addresses, mobile numbers and credit card information, would be published in full if Ashley Madison and its affiliated website Established Men were not taken “offline permanently”.

As a demonstration of its will, it released 40 megabytes worth of data at the time, which included credit card details and internal documents belonging to Ashley Madison.

Toronto-based Avid Life Media, which owns both websites, refused to bow to pressure from the Impact Team. On learning that further stolen data had been released yesterday (18th August), it said in a statement:

“This event is not an act of hacktivism, it is an act of criminality.”

“It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.”

“The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society.”

Millions of worried users

Needless to say, the initial news of the breach and the subsequent, recent revelation that personal information has now been disclosed, has left many members of Ashley Madison concerned over the possible fallout of this data dump.

Most have signed up to to the service confident that their extramarital affairs would remain under lock and key. After all, the website, whose tagline reads “Life is short. Have an affair.”, prides itself on offering “maximum privacy and and discretion”.

In response to user concerns, Ashley Madison said it would offer members a full-delete option, which it usually charges £15 for. The Impact Team have argued that this is as a “complete lie”.

This has strongly been refuted by the website, which stated at the time of the attack:

“Contrary to current media reports, and based on accusations posted online by a cyber criminal, the ‘paid-delete’ option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity.

“The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes.”

The grey-area

While many individuals are rightly concerned that their personal information may be exposed, others, unknowingly, may find themselves embroiled in the unfolding Ashley Madison data breach story.

For example, the security blogger and researcher Graham Cluley explained in his blog that just because an email address has been used to activate an account the website, “the owner of that email address may never have even visited the Ashley Madison site”.

“So, I could have created an account at Ashley Madison with the address of barack.obama@whitehouse.gov, but it wouldn’t have meant that Obama was a user of the site,” he said.

As others have reported – like Stephen Cobb, a senior security researcher at ESET – currently, anyone signing up to the website does not need to have their email address verified. In other words, you can use any email address to set up a profile (so long as it hasn’t already been used), all without the person knowing.

Additionally, as Mr Cluley discusses, even if people have signed up to the website, it still doesn’t suggest that they have been involved in an affair:

“You might have joined the site years before when you were single and be shocked that they still have your details in their database, or you might have joined the site out of curiosity or for a laugh … never seriously planning to take things any further.”

“You might have joined the site years before when you were single and be shocked that they still have your details in their database, or you might have joined the site out of curiosity or for a laugh … never seriously planning to take things any further.”

Beyond the data dump

What is clear is that one, there has been a major data breach that has affected millions of people all over the world (Ashley Madison operates in over 50 countries); two, the attackers have demonstrated that they are true to the word; and three, members of the site remain in state of personal and professional limbo.

In the meantime, a full investigation, ordered by Ashley Madison, is underway to ascertain the “origin, nature, and scope of this attack”. In addition to working with security professionals, the infidelity website is also cooperating with multiple law enforcement investigations that are being carried out by the FBI, the Royal Canadian Mounted Police, the Ontario Provincial Police and the Toronto Police Services.